The Dell Sonicwall Threat Research team has received reports of yet another ransomware. KillerLocker ransomware is not any different from other ransomwares we have seen in the past. It encrypts the victim's files and shows a warning once it finished its job. This time, the warning uses a creepy image of a killer clown. With killer clown attacks all over the news lately, cyber criminals have clearly caught on with the clown craze.

Infection Cycle:

KillerLocker uses the following file properties:

Figure 1: KillerLocker file properties clearly says "killerlocker"

Upon execution, it creates a file named key.txt with the following contents:

Figure 2: Key.txt with contents that read "chavekey12345678910"

It then proceeds to encrypt files in the victim's machine. It appears to be reading the content of key.txt for every file that it encrypts.

Figure 3: Killerlocker reads the key.txt file during encryption of the victim's files.

Encrypted files are appendeded with a ".rip" file extension.

Figure 4: Example of encrypted files with .rip extension

System files such as taskmgr.exe and regsvr32.exe which are common tools used to monitor processes, services or startup progams are also encrypted. The victim will be unable to reboot his machine since operating system boot related files are also encrypted which will render the machine useless at this point.

Figure 5: System fails to boot

Upon successful infection, KillerLocker opens a window with the clown image and a warning.

Figure 6: KillerLocker warning screen

The text on the warning screen is written in Portuguese and translates to:

"All your files have been encrypted with a very strong AES-256 encryption. Send payment: 000-00 / 00 up to 48 hours.
You can not do anything about it and your key will be eliminated in 48 hours!"

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature: